In httpdget.c, a variable is assigned to the heap, and is supposed to receive a smaller allocation. As this variable was not terminated properly, strncpy() will overwrite the data assigned next in memory.

Impact

By enticing a user to visit a malicious URL, an attacker could possibly execute arbitrary code with the rights of the user running mpg123.